Crafting better privacy laws, based on the California model with Alastair Mactaggart

On the second day of the WireWheel Spokes 2021 conference, WireWheel CEO and founder Justin Antonipillai hosted a conversation with Alastair Mactaggart, board chair and founder of Californians for Consumer Privacy, an advocacy group responsible for sponsoring groundbreaking and influential privacy legislation in California, including the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act.

Privacy Laws in Other States

Antonipillai opened the dialogue by noting that there are now 26 states considering some version of privacy laws based on California’s legislation, including Virginia and Colorado. He then asked Mactaggart to comment on the momentum behind these efforts to pass privacy legislation, and where that push may be coming from.

“First of all, I think this would never have been possible in California if it wasn’t an idea that’s embraced by the general population, by humans around the world, and people are increasingly concerned at the notion of being constantly surveilled,” he said. “It’s a funny thing: I always said that if the government were to do what corporations do all the time, people would be up in arms.”

Mactaggart continued by stating the California legislation “got the ball rolling,” and essentially laid the groundwork for other states to have the confidence to draft their own versions of privacy legislation. He does note, however, that it’s not simply a matter of “copying” what California has done—the reality, in fact, is far more complicated. “I think all these other states are just reflecting the deeply held belief among Americans that a lot of these practices have gone too far. I’m gratified at one level that other states are doing this, I think the devil is in the details.”

Mactaggart also commented on how corporations may try to skirt the laws. “It’s still amazing to me how many corporations are really trying to comply potentially with the letter of the law, but really try to evade the purpose of it or the intent of it, so I’m consistently amazed at how difficult it is to find the privacy rights that are supposed to be there very clearly here in California.”

More Legislation Doesn’t Equal Better Legislation

Mactaggart continued: “But look at Virginia, to opt out you have to do it yourself, you can’t use an agent, you have to send in some kind of potentially authenticated request, no one’s going to do that. One of the great benefits of California’s law is that it allows for my device, my global setting, my phone, my computer to do it for me. I’ve always said that privacy is widely believed in, but once you erect hurdles, people will say they’re too busy.”

Mactaggart also noted that he has heard from some businesses that their goal was to try to pass as many regulations as possible, just to get a watered-down version that actually isn’t a very effective law. In doing so, Mactaggart believes effective legislation may be difficult to come by, in the wake of the confusion caused by a wave of ineffectual laws in a slew of states.

Privacy from the Consumer’s POV

The conversation then pivoted to what the consumer experiences when confronted with data privacy notifications. Mactaggart said: “Once the CPRA regulations go into effect, these ‘cookie walls’ will sort of disappear, because what we have now is sort of annoying, they come up to collect your consent, and then you have to walk through the different variations of what you want to consent, and if they’re selling your information, there should be a ‘do not sell information button,’ pure and simple. That’s what should be there and it should not be complicated.”

Mactaggart went on to describe how businesses are pushing back against privacy laws, or at least figuring out ways to do the minimum necessary to comply. He went on to state that, although industries might proclaim that the variety of laws across different states means that privacy regulation is untenable, in fact, the patchwork of state laws can and does work fine. “You know what people want, it’s not so different whether it’s in Europe or here or Japan, they want to know what information is being collected about them, they want to be able to stop it going where they don’t want it to go, they want be able to delete it, they want to control, and they don’t want to be the product,” he said.

The California Privacy Protection Agency

Mactaggart then gave a brief rundown of the board structure of the California Privacy Protection Agency (CPPA), the regulator for privacy in California, and how the leadership plans to move forward.

“The board has been constituted, it has held its first meeting,” he said. “The way we [designed the board], it’s not a full-time, paid board. That was intentional, because the sense is that the administration is where the point of the spear is going to be. So clearly, the most important job is going to be hiring the executive director. That process will be interesting, and then they also get to choose an auditor. Whom they hire for that administration will be very important.”

The Board’s role, he continued, would center around oversight, as well as approving settlements and investigations. He noted that the bylaws of the Board had yet to be written, but stressed his confidence in Board Chair Jennifer M. Urban, Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley School of Law, to guide the CPPA in the right direction.

He also highlighted the skills of another Board member, Lydia de la Torre, a professor at Santa Clara University Law School, an expert in both American and European privacy law.

Mactaggart noted that the Board’s draft regulations are due one short year from now, on July 1, 2022.

The Evolution of Good Ideas

Mactaggart then described his intentions and thought processes behind privacy regulations in CCPA and CPRA, and how these rules changed as the proposal advanced through the state legislature. He credited the European model as a source of inspiration. “Anybody who knows about the European GDPR, in many respects, many of the important principles are drawn from that.”

He then addressed a question about whether he feared whether “privacy agents” who represent consumers might try to defraud them. Mactaggart countered that some kind of certification process for that role would most likely be implemented and that a framework would be established to adequately handle any potential issues.

And the Evolution of Good Laws

Mactaggart went on to comment about what he would like to see in a comprehensive federal data privacy law—and expressed some misgivings about the effectiveness of such a law. “I’m not holding my breath on legislation in Washington,” he said. “Anything’s possible. I think that the problem and the opportunity now are that privacy is a moving target—and will be, and should be because technology is moving … think of an area of law—antitrust, environmental—these things change over time. And where I would say this is a good first step—we now have one in eight Americans that I think have really good privacy coverage—but come back to this space in 10 years, 20 years, 30 years, it’s going to look radically different.”

Wrestling with Privacy Laws In Europe and the U.S.

With recent data privacy decisions in Europe—including issues around data privacy shields and adequacy—Mactaggart discussed the relationship between the US and the EU when it comes to data privacy and the flow of information. “My attitude has always been, ‘solve what you can solve,’ and obviously a state can’t solve a national security issue. But I’ve always believed that there’s too much at stake between the two trading blocs for this national security issue to prevent data from flowing. They will solve it—and ‘they’ being the US administration and the Europeans … But then you still have the problem of what’s the adequate data protection regime, right? So, I think there’s a role for California to play, assuming that the national security issue gets solved.

With the current privacy climate in Europe—and the evolving approaches to data privacy in the U.S.–companies face an increasingly complex (and sometimes burdensome) situation, and Mactaggart stresses that the key element is to develop adequate legislation that would address these issues—and soon.

“You know, the important thing is having the legislation,” said Mactaggart. “I think it’s an opportune time … we have this ability to write regulations to kind of solve [issues], assuming it doesn’t go against the statute here. I’m hopeful that this will vault us into the first tier of privacy around the world, and that this would be an anchor for privacy in this country.”

Raising Public Awareness of Privacy Protections

Next, Mactaggart addressed the need for public awareness campaigns to make individuals aware of CCPA and CPRA, as well as their rights and responsibilities with regard to the statutes. “I think probably the average Californian has no clue … out of the 40 million Californians, I think probably fewer rather than more are aware of their privacy rights,” he said.

The conversation then touched on the practicality of alerting users about their rights as they visit websites and so on. Mactaggart emphasized the need for simplicity and useability in order to help consumers understand how their data is being used, what data is being collected, and where it may be stored. “What I would say is that, if at the end of the day, if this is a series of obstacles that companies that want to transact in your data have to leap over in order to keep on transacting your data … because they’ve made it so difficult for people to access their rights, then I say we will have failed—and there’s a risk of that clearly.”

“I feel like the effort will have succeeded in general if the industry that is currently trying to transact in your data ends up giving people really clear, easy meaningful ways to stop that transaction of your data.”

Mactaggart then used the analogy of air travel to illustrate how it should be a straightforward mechanism for the consumer to restrict data use. “I shouldn’t have to be able to fix a jet engine to get on the plane,” he said. “I should be able to get on a plane and expect it to be safe because the government inspects these airlines … why when I visit a website should that data be sold, or should I not at least be able to easily control that?”

Mactaggart closed by noting that not all companies are looking to surreptitiously collect customer data for questionable purposes. “There are many companies whose business is not buying and selling people’s information—they’re trying to deliver a product,” he said. “And then there are many companies whose business is tracking me ubiquitously forever, always trying to know as much about me as possible, and I think that I’d like some rights around that.”